Difference between revisions of "PolicyConfigurationFiles"

(New page: = Policy Configuration Files = Each file discussed in this section is relative to the policy name as follows: <nowiki>/etc/selinux/<policy_name></nowiki> The majority of files are instal...)

This file is used by the mcstransd(8) daemon (available in the mcstrans rpm). The daemon enables SELinux-aware applications to translate the MCS / MLS internal policy levels into user friendly labels.

This file is used by the mcstransd(8) daemon (available in the mcstrans rpm). The daemon enables SELinux-aware applications to translate the MCS / MLS internal policy levels into user friendly labels.

+

+

There are a number of sample configuration files within the <tt>mcstrans</tt> package that describe the configuration options in detail that are located at <tt>/usr/share/mcstrans/examples</tt>.

The daemon will not load unless a valid MCS or MLS policy is active.

The daemon will not load unless a valid MCS or MLS policy is active.

+

+

The translations can be disabled by added the following line to the file:

+

<pre>

+

disable = 1

+

</pre>

The semanage command can be used to update this file.

The semanage command can be used to update this file.

+

+

This file will also support the display of information in colour. The configuration file that controls this is called <tt>secolor.conf</tt> and is described in the [[#secolor.conf File | secolor.conf File]] section.

'''The file format is as follows:'''

'''The file format is as follows:'''

+

+

There are a number of configuration options available that are described in a README file within the source code package (but not included with the installed package). The contents of this file (from <tt>mcstrans-0.3.1-3</tt> source package) is as follows:

<pre>

<pre>

−

<nowiki># Enable / disable translation service:</nowiki>

+

# This file is from the mcstrans-0.3.1/conf/README file within the source package.

−

disable=1|0

+

# Syntax

−

<nowiki># Each line consists of a level or range with user friendly </nowiki>

# Within a domain are variable translations that are a Base + ModifierGroup + ModifierGroup

−

{| border="1"

+

Base=Sensitivity Levels

−

| | disable

+

# raw_range=name

−

| | To disable the translation service, set disable=1. To enable the service comment out the entry or set disable=0.

+

s1=Unclassified

+

# Aliases have the same name but a different translation.

+

# The first one is used to compute translations

+

s1=U

+

# inverse bits should appear in the base of any level that uses inverse bits

+

s2:c200.c511=Restricted

+

# repeat as required...

−

|-

+

# Modifier Groups should be in the order of appearance in the translated range.

−

| | range

+

ModifierGroup=GROUP1

−

| | The optional level or range as defined in the MLS range definition section.

+

# Allowed white space can be defined

+

Whitespace=- ,/

+

# Join defines the character between multiple members of this group

+

Join=/

+

# A Prefix can be defined per group

+

Prefix=Releasable to

+

# Inverse categories (releasabilities) should always be set as Default categories in every ModifierGroup

+

Default=c200.c511

+

# format is raw_categories=name

+

# ~ turns off inverse bits

+

~c200.c511=EVERYBODY

−

|-

+

# Aruba - bit 201

−

| | text_label

+

~c200,~c201=ABW

−

| | The user friendly label to be displayed by SELinux-aware applications that use the translation service API.

+

~c200,~c201=AA

+

# Afghanistan - bit 202

+

~c200,~c202=AFG

+

~c200,~c202=AF

+

# repeat as required...

−

|}

+

# Another Modifier Group

+

ModifierGroup=GROUP2

+

# With different white space

+

Whitespace=

+

# And different Join

+

Join=,

+

# A Suffix can be defined per group

+

Suffix=Eyes only

+

# Default categories need to be consistent

+

Default=c200.c511

+

# New domain

+

Domain=NAME2

+

+

# any text can be put in a separate file

+

Include=PATH

+

Include=PATH

+

</pre>

'''Example file contents:'''

'''Example file contents:'''

<pre>

<pre>

−

<nowiki># </nowiki>./setrans.conf - Taken from the reference policy.

+

# ./setrans.conf - Taken from the reference policy.

−

<nowiki>#</nowiki>

+

#

−

<nowiki># Multi-Level Security translation table for SELinux</nowiki>

+

# Multi-Level Security translation table for SELinux

−

<nowiki># </nowiki>

+

#

−

<nowiki># Uncomment the following to disable translation library</nowiki>

+

# Uncomment the following to disable translation library

−

<nowiki># disable=1</nowiki>

+

# disable=1

−

<nowiki>#</nowiki>

+

#

−

<nowiki># SystemLow and SystemHigh</nowiki>

+

# SystemLow and SystemHigh

−

+

s0=SystemLow

s0=SystemLow

s15:c0.c1023=SystemHigh

s15:c0.c1023=SystemHigh

s0-s15:c0.c1023=SystemLow-SystemHigh

s0-s15:c0.c1023=SystemLow-SystemHigh

−

<nowiki># Unclassified level</nowiki>

+

# Unclassified level

s1=Unclassified

s1=Unclassified

−

<nowiki># Secret level with compartments</nowiki>

+

# Secret level with compartments

s2=Secret

s2=Secret

s2:c0=A

s2:c0=A

s2:c1=B

s2:c1=B

−

<nowiki># ranges for Unclassified</nowiki>

+

# ranges for Unclassified

s0-s1=SystemLow-Unclassified

s0-s1=SystemLow-Unclassified

s1-s2=Unclassified-Secret

s1-s2=Unclassified-Secret

s1-s15:c0.c1023=Unclassified-SystemHigh

s1-s15:c0.c1023=Unclassified-SystemHigh

−

<nowiki># ranges for Secret with compartments</nowiki>

+

# ranges for Secret with compartments

s0-s2=SystemLow-Secret

s0-s2=SystemLow-Secret

s2:c1-s15:c0.c1023=Secret:B-SystemHigh

s2:c1-s15:c0.c1023=Secret:B-SystemHigh

s2:c0,c1-s15:c0.c1023=Secret:AB-SystemHigh

s2:c0,c1-s15:c0.c1023=Secret:AB-SystemHigh

</pre>

</pre>

−

'''Example semanage command:'''

'''Example semanage command:'''

<pre>

<pre>

−

<nowiki># Add a new entry to the file. Note that the -T flag component </nowiki>

+

# Add a new entry to the file. Note that the -T flag component

−

<nowiki># (the user friendly name for the level) must not have spaces.</nowiki>

+

# (the user friendly name for the level) must not have spaces.

semanage translation -a -T Top-Level s15:c1023

semanage translation -a -T Top-Level s15:c1023

</pre>

</pre>

<pre>

<pre>

−

<nowiki># List the setrans.conf file contents</nowiki>

+

# List the setrans.conf file contents

semanage translation -l

semanage translation -l

...

...

+

s15:c1023=Top-Level

s15:c1023=Top-Level

</pre>

</pre>

Line 146:

Line 194:

</pre>

</pre>

+

+

== secolor.conf File ==

+

This optional file controls the colour to be associated to the various fields within the <tt>mctrans.conf</tt> file when the information is displayed by a SELinux colour-aware application (currently none!). This has not been fully documented, however the file format is as follows:

+

<pre>

+

color color_name = color_mask

+

+

context_field string foreground_color_name background_color_name

+

</pre>

+

+

'''Where:'''

+

{| border="1"

+

| color

+

| The color keyword.

+

+

|-

+

| color_name

+

| A descriptive name for the colour (e.g. <tt>red</tt>).

+

+

|-

+

| color_mask

+

| A colour mask starting with a hash (<tt>#</tt>) that describes the colour with black being <tt>#ffffff</tt> and white being <tt>#000000</tt>.

+

+

|-

+

| context_field

+

| The colour translation supports different colours on the context string components (<tt>user</tt>, <tt>role</tt>, <tt>type</tt> and <tt>range</tt> or <tt>level</tt>). Each component is on a separate line.

+

+

|-

+

| string

+

| This is a defined string within the <tt>setrans.conf</tt> file that will be displayed in the colour required. The colour initialisation code will check that the field exists in the file. An <tt>*</tt> can be used to define all entries of the defined <tt>context_field</tt> entry.

+

+

|-

+

| foreground_color_name

+

| The <tt>color_name</tt> string that will be used as the foreground colour.

+

+

|-

+

| background_color_name

+

| The <tt>color_name</tt> string that will be used as the background colour.

+

+

|}

+

+

+

'''Example file contents:'''

+

<pre>

+

color black = #000000

+

color green = #008000

+

color yellow = #ffff00

+

color blue = #0000ff

+

color white = #ffffff

+

color red = #ff0000

+

color orange = #ffa500

+

color tan = #D2B48C

+

+

user * = black black

+

role * = white black

+

type * = tan orange

+

range s0-s0:c0.c1023 = black green

+

range s1-s1:c0.c1023 = white green

+

range s3-s3:c0.c1023 = black tan

+

range s5-s5:c0.c1023 = white blue

+

range s7-s7:c0.c1023 = black red

+

range s9-s9:c0.c1023 = black orange

+

range s15:c0.c1023 = black yellow

+

</pre>

+

+

'''Supporting libselinux API functions are:'''

+

<pre>

+

selinux_colors_path

+

selinux_raw_context_to_color - this call returns the foreground

+

and background colours of the context string as the specified

+

'color' hex digits as follows:

+

user : role : type : range

+

#000000 #000000 #ffffff #000000 #d2b48c #ffa500 #000000 #008000

+

black black white black tan orange black green

+

</pre>

== policy/policy.[ver] File ==

== policy/policy.[ver] File ==

Line 193:

Line 315:

</pre>

</pre>

−

=== contexts/default_contexts File ===

+

== contexts/default_contexts File ==

Used by SELinux-aware applications that need to set a security context for user processes (generally the login applications) where:

Used by SELinux-aware applications that need to set a security context for user processes (generally the login applications) where:

Line 389:

Line 511:

−

=== contexts/initrc_context File ===

+

== contexts/initrc_context File ==

This is used by the run_init(8) command to allow system services to be started in the same security context as init. This file could also be used by other SELinux-aware applications for the same purpose.

This is used by the run_init(8) command to allow system services to be started in the same security context as init. This file could also be used by other SELinux-aware applications for the same purpose.

Line 424:

Line 546:

selinux_context_path

selinux_context_path

</pre>

</pre>

−

== contexts/netfilter_contexts File ==

== contexts/netfilter_contexts File ==

Line 546:

Line 667:

−

== contexts/x_contexts File ==

+

== contexts/virtual_domain_context File ==

−

This file is provides the security contexts (and other configuration information) for the X-Windows SELinux security extensions provided via Xace (X access control extension). No idea how it works (yet anyway). The MCS / MLS version of the file has the appropriate level or range context added.

+

This is used by the virtulization API (<tt>libvirt</tt>) and provides the domain contexts that can be used (these are defined in the policy).

'''Example file contents:'''

'''Example file contents:'''

<pre>

<pre>

−

<nowiki># </nowiki>./contexts/x_contexts - Taken from the reference policy.

+

# ./contexts/virtual_domain_context - Taken from the standard

−

<nowiki>#</nowiki>

+

# reference policy.

−

<nowiki># Config file for XSELinux extension</nowiki>

+

−

<nowiki>#</nowiki>

+

−

<nowiki># The default client rule defines a context to be used for all clients</nowiki>

+

−

<nowiki># connecting to the server from a remote host.</nowiki>

+

−

<nowiki>#</nowiki>

+

−

client<nowiki>*</nowiki>system_u:object_r:remote_xclient_t

+

−

<nowiki>##</nowiki>

+

system_u:system_r:svirt_t

−

<nowiki>### Rules for X Properties</nowiki>

+

</pre>

−

<nowiki># Property rules map a property name to a context. </nowiki>A default property

+

−

<nowiki># rule indicated by an asterisk should follow all other property rules.</nowiki>

+

<pre>

−

<nowiki>#</nowiki>

+

# ./contexts/virtual_domain_context - Taken from the MLS/MCS

−

<nowiki># Properties that normal clients may only read</nowiki>

+

# reference policy.

−

property XFree86_VTsystem_u:object_r:info_xproperty_t

+

−

property XFree86_DDC_EDID1_RAWDATAsystem_u:object_r:info_xproperty_t

+

system_u:system_r:svirt_t:s0

−

<nowiki>##</nowiki>

+

−

<nowiki>### Rules for X Extensions</nowiki>

+

−

<nowiki>##</nowiki>

+

−

<nowiki># Extension rules map an extension name to a context. </nowiki>A default extension

+

−

<nowiki># rule indicated by an asterisk should follow all other extension rules.</nowiki>

+

−

<nowiki>#</nowiki>

+

−

<nowiki># Standard extensions</nowiki>

+

−

extension BIG-REQUESTSsystem_u:object_r:std_xext_t

+

−

extension SHAPEsystem_u:object_r:std_xext_t

+

−

<nowiki>##</nowiki>

+

−

<nowiki>### Rules for X Selections</nowiki>

+

−

<nowiki>##</nowiki>

+

−

<nowiki># Selection rules map a selection name to a context. </nowiki>A default selection

+

−

<nowiki># rule indicated by an asterisk should follow all other selection rules.</nowiki>

<nowiki># rule indicated by an asterisk should follow all other event rules.</nowiki>

+

−

<nowiki>#</nowiki>

+

−

<nowiki># Input events</nowiki>

+

−

event X11:KeyPresssystem_u:object_r:input_xevent_t

+

−

event X11:KeyReleasesystem_u:object_r:input_xevent_t

+

</pre>

</pre>

'''Supporting libselinux API functions are:'''

'''Supporting libselinux API functions are:'''

<pre>

<pre>

−

selinux_x_context_path

+

selinux_virtual_domain_context_path

</pre>

</pre>

+

+

+

== contexts/virtual_image_context File ==

+

This is used by the virtulization API (<tt>libvirt</tt>) and provides the image contexts that can be used (these are defined in the policy).

+

+

'''Example file contents:'''

+

<pre>

+

# ./contexts/virtual_image_context - Taken from the standard

+

# reference policy.

+

+

system_u:system_r:svirt_image_t:s0

+

system_u:system_r:svirtcontent_t:s0

+

</pre>

+

+

<pre>

+

# ./contexts/virtual_image_context - Taken from the MLS/MCS

+

# reference policy.

+

+

system_u:system_r:svirt_image_t:s0

+

system_u:system_r:svirtcontent_t:s0

+

</pre>

+

+

'''Supporting libselinux API functions are:'''

+

<pre>

+

selinux_virtual_image_context_path

+

</pre>

+

+

+

== contexts/x_contexts File ==

+

This file is provides the security contexts (and other configuration information) for the X-Windows SELinux security extension. The useage is discussed in the X-windows SELinux Support section and examples of how to add additional entries is shown in the Experimenting with X-Windows section. The MCS / MLS version of the file has the appropriate level or range information added.

+

+

The <tt>selabel_*</tt> set of <tt>libselinux</tt> API functions allow information to be retrieved from the <tt>x_contexts</tt> file. These are described in the relevant man pages and also in <tt>selabel_x(5)</tt>.

| These are the object names of the specific X-server resource such as <tt>PRIMARY</tt>, <tt>CUT_BUFFER0</tt> etc. They are generally defined in the X-server source code (<tt>protocol.txt</tt> and <tt>BuiltInAtoms </tt>in the <tt>dix</tt> directory of the <tt>xorg-server</tt> source package) or by the X-Windows application (e.g. using <tt>XInternAtom</tt>).

+

+

This can contain '<tt>*</tt>' for 'any' or '<tt>?</tt>' for 'substitute' (see the <tt>CUT_BUFFER?</tt> entry where the '<tt>?</tt>' would be substituted for a number between 0 and 7 that represents the number of these buffers).

+

+

|-

+

| <tt>context</tt>

+

| This is the security context that will be applied to the object. For MLS/MCS systems there would be the additional MLS label (<tt>:s0</tt> as standard).

Policy Configuration Files

Each file discussed in this section is relative to the policy name as follows:

/etc/selinux/<policy_name>

The majority of files are installed by the Reference Policy, semanage or semodule processes. It is possible to build custom monolithic policies that only use the files installed in this area (i.e. do not use semanage or semodule). For example a simple monolithic policy could run at init 3 (i.e. no X-Windows), and only require the following configuration files:

./policy/policy.[ver] - The binary policy loaded into the kernel.

./context/files/file_contexts - To allow the filesystem to be relabeled.

If the simple policy is to run at init 5, (i.e. with X-Windows) then an additional file is required:

./context/dbus_contexts - To allow the debus messaging service to run under SELinux.

seusers File

This file is used by login programs (normally via the libselinux library) and maps GNU / Linux users (as defined in the user / passwd files) to SELinux users (defined in the policy). A typical login sequence would be:

Using the GNU / Linux user_id, lookup the seuser_id from this file. If an entry cannot be found, then use the __default__ entry.

To determine the remaining context to be used as the security context, read the ./contexts/users/[seuser_id] file. If this file is not present, then:

Check for a default context in the ./contexts/default_contexts file. If no default context is found, then:

Read the ./contexts/failsafe_context file to allow a fail safe context to be set.

Note: The system_u user is defined in this file, however there must be no system_u GNU / Linux user configured on the system.

The format of the seusers file is the same as the files described in the ./modules/active/seusers.final and seusers section, where an example semanage user command is also shown.

# ./seusers file for an MLS system. Note that the system_u user
# has access to all security levels and therefore should not be
# configured as a valid GNU / Linux user.
system_u:system_u:s0-s15:c0.c255
root:root:s0-s15:c0.c255
fred:user_u:s0
__default__:user_u:s0

Supporting libselinux API functions are:

getseuser
getseuserbyname

setrans.conf File

This file is used by the mcstransd(8) daemon (available in the mcstrans rpm). The daemon enables SELinux-aware applications to translate the MCS / MLS internal policy levels into user friendly labels.

There are a number of sample configuration files within the mcstrans package that describe the configuration options in detail that are located at /usr/share/mcstrans/examples.

The daemon will not load unless a valid MCS or MLS policy is active.

The translations can be disabled by added the following line to the file:

disable = 1

The semanage command can be used to update this file.

This file will also support the display of information in colour. The configuration file that controls this is called secolor.conf and is described in the secolor.conf File section.

The file format is as follows:

There are a number of configuration options available that are described in a README file within the source code package (but not included with the installed package). The contents of this file (from mcstrans-0.3.1-3 source package) is as follows:

# This file is from the mcstrans-0.3.1/conf/README file within the source package.
# Syntax
# A domain is a self consistent domain of translation (English, German, Paragraph Markings ...)
Domain=NAME1
# Within a domain are a number of fixed translations
# format is raw_range=trans_range
s3:c200.c511=Confidential
# repeat as required...
# Within a domain are variable translations that are a Base + ModifierGroup + ModifierGroup
Base=Sensitivity Levels
# raw_range=name
s1=Unclassified
# Aliases have the same name but a different translation.
# The first one is used to compute translations
s1=U
# inverse bits should appear in the base of any level that uses inverse bits
s2:c200.c511=Restricted
# repeat as required...
# Modifier Groups should be in the order of appearance in the translated range.
ModifierGroup=GROUP1
# Allowed white space can be defined
Whitespace=- ,/
# Join defines the character between multiple members of this group
Join=/
# A Prefix can be defined per group
Prefix=Releasable to
# Inverse categories (releasabilities) should always be set as Default categories in every ModifierGroup
Default=c200.c511
# format is raw_categories=name
# ~ turns off inverse bits
~c200.c511=EVERYBODY
# Aruba - bit 201
~c200,~c201=ABW
~c200,~c201=AA
# Afghanistan - bit 202
~c200,~c202=AFG
~c200,~c202=AF
# repeat as required...
# Another Modifier Group
ModifierGroup=GROUP2
# With different white space
Whitespace=
# And different Join
Join=,
# A Suffix can be defined per group
Suffix=Eyes only
# Default categories need to be consistent
Default=c200.c511
# New domain
Domain=NAME2
# any text can be put in a separate file
Include=PATH
Include=PATH

secolor.conf File

This optional file controls the colour to be associated to the various fields within the mctrans.conf file when the information is displayed by a SELinux colour-aware application (currently none!). This has not been fully documented, however the file format is as follows:

A colour mask starting with a hash (#) that describes the colour with black being #ffffff and white being #000000.

context_field

The colour translation supports different colours on the context string components (user, role, type and range or level). Each component is on a separate line.

string

This is a defined string within the setrans.conf file that will be displayed in the colour required. The colour initialisation code will check that the field exists in the file. An * can be used to define all entries of the defined context_field entry.

policy/policy.[ver] File

This is the binary policy file that is loaded into the kernel to enforce policy and is built by either checkpolicy or semodule. Life is too short to describe the format but the libsepol source could be used as a reference or for an overview the SELinux Policy Module Primer notes.

The file name extension is the policy database version supported by the GNU / Linux release and can be found by executing the following command:

cat /selinux/policyvers
23

The different versions are discussed in the Policy Versions section.

contexts/customizable_types File

This file contains a list of types that will not be relabeled by the setfiles(8) or restorecon(8) commands. The commands check this file before relabeling and excludes those in the list unless the -F flag is used (see the man pages).

The file format is as follows:

type

Where:

type

The type defined in the policy that needs to excluded from relabeling. An example is when a file has been purposely relabeled with a different type to allow an application to work.

# Note that the ./contexts/users/[seuser_id] file is also read
# by some of these functions.
selinux_contexts_path
selinux_default_context_path
get_default_context
get_ordered_context_list
get_ordered_context_list_with_level
get_default_context_with_level
get_default_context_with_role
get_default_context_with_rolelevel
query_user_context
manual_user_enter_context
get_default_role

An example use (to get over a small feature) is that when the initial basic policy was built, no default_contexts file entries were required as only one role:type of unconfined_r:unconfined_t had been defined, therefore the login process did not need to decide anything (as the only user context was user_u:unconfined_r:unconfined_t).

However when adding the loadable module that used another type (ext_gateway_t) but with the same role and user (e.g. user_u:unconfined_r:ext_gateway_t), then it was found that the login process would always set the logged in user context to user_u:unconfined_r:ext_gateway_t (i.e. the login application now had a choice and choose the wrong one, probably because the types are sorted and 'e' comes before 'u').

The end result was that as soon as enforcing mode was set, the system got bitter and twisted. To resolve this the default_contexts file entries were set to:

unconfined_r:unconfined_t unconfined_r:unconfined_t

The login process could now set the context correctly to unconfined_r:unconfined_t. Note that adding the same entry to the contexts/users/user_u configuration file instead could also have achieved this.

contexts/debus_contexts File

This file is for the debus messaging service daemon (a form of IPC) that is used by a number of GNU / Linux applications such as GNOME and KDE desktops. If SELinux is enabled, then this file needs to exist in order for these applications to work. The dbus-daemon man page details the contents, however it is not recommended that this file is changed. The Free Desktop web site has detailed information at:

contexts/default_type File

This file allows SELinux-aware applications such as newrole(1) to select a default type for a role if one is not supplied. An example use is by newrole when it is called to change a users role, with no type specified, this file would then be consulted to determine the default type to use for the requested role.

The file format is as follows:

role:type

Where:

role:type

The file contains one or more lines that consist of role:type entries. There should be one line for each role defined within the policy.

contexts/initrc_context File

This is used by the run_init(8) command to allow system services to be started in the same security context as init. This file could also be used by other SELinux-aware applications for the same purpose.

The file format is as follows:

security_context

Where:

security_context

The file contains one line that consists of a full security context, including the MLS / MCS level or range if applicable.

Example file contents:

# ./contexts/initrc_context - Taken from the reference policy.
system_u:system_r:initrc_t

# ./contexts/initrc_context - Taken from the MLS reference
# policy. Note that the init process has full access via the
# range s0-s15:c0.c255.
system_u:system_r:initrc_t:s0-s15:c0.c255

Supporting libselinux API functions are:

selinux_context_path

contexts/netfilter_contexts File

This file will support the Secmark labeling for Netfilter / iptable rule matching of network packets, however it is currently unused (see the ./modules/active/netfilter_contexts & netfilter.local file section for further information).

Supporting libselinux API functions are:

selinux_context_path
selinux_netfilter_context_path

contexts/removable_contexts File

This file contains the default label that should be used for removable devices that are not defined in the contexts/files/media file.

The file format is as follows:

security_context

Where:

security_context

The file contains one line that consists of a full security context, including the MLS / MCS level or range if applicable.

Example file contents:

# ./contexts/removable_contexts - Taken from the reference policy.
system_u:object_r:removable_t

contexts/x_contexts File

This file is provides the security contexts (and other configuration information) for the X-Windows SELinux security extension. The useage is discussed in the X-windows SELinux Support section and examples of how to add additional entries is shown in the Experimenting with X-Windows section. The MCS / MLS version of the file has the appropriate level or range information added.

The selabel_* set of libselinux API functions allow information to be retrieved from the x_contexts file. These are described in the relevant man pages and also in selabel_x(5).

These are the object names of the specific X-server resource such as PRIMARY, CUT_BUFFER0 etc. They are generally defined in the X-server source code (protocol.txt and BuiltInAtoms in the dix directory of the xorg-server source package) or by the X-Windows application (e.g. using XInternAtom).

This can contain '*' for 'any' or '?' for 'substitute' (see the CUT_BUFFER? entry where the '?' would be substituted for a number between 0 and 7 that represents the number of these buffers).

context

This is the security context that will be applied to the object. For MLS/MCS systems there would be the additional MLS label (:s0 as standard).

contexts/files/file_contexts.local File

This file is added by the semanage fcontext command as described in the ./modules/active/file_contexts.local file section to allow locally defined files to be labeled correctly.

contexts/files/file_contexts.homedirs File

This file is managed by the semodule and semanage commands as the policy is updated (adding or removing users and modules or updating the base), and therefore should not be edited.

It is generated by the genhomedircon(8) command (in fact by semodule -Bn that rebuilds the policy) and used to set the correct contexts on the users home directory and files.

It is fully described in the ./modules/active/file_contexts.homedirs file section.

Supporting libselinux API functions are:

selinux_file_context_homedir_path
selinux_homedir_context_path

contexts/files/media File

Used to map media types to a file context. If the media_id cannot be found in this file, then the default context in the ./contexts/removable_contexts is used instead.

The file format is as follows:

media_id file_context

Where:

media_id

The media identifier (those known are: cdrom, floppy, disk and usb).

file_context

The context to be used for the device. Note that it does not seem to have the MLS / MCS level).

Example file contents:

# ./contexts/files/media - Taken from the reference policy
# (note that the same file is generated for all types of policy).
cdrom system_u:object_r:removable_device_t
floppy system_u:object_r:removable_device_t
disk system_u:object_r:fixed_disk_device_t

Supporting libselinux API functions are:

selinux_media_context_path

contexts/users/[seuser_id] File

These optional files are named after the SELinux user they represent (e.g. seuser_id = user_u). Each file has the same format as the contexts/default_contexts file and is used to assign the correct context to the SELinux user.